package cn.itcast.Config;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;


@EnableWebSecurity
//securedEnabled:解锁是在方法执行前验证,还是在方法执行完后验证
//prePostEnabled:解锁访问一个业务方法需要莫格权限或者角色
@EnableGlobalMethodSecurity(securedEnabled = true,prePostEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.
                authorizeRequests()
                .antMatchers("/css/**", "/img/**", "/js/**", "/plugins/**", "/template/**", "/login.html").permitAll() //任何人都可以访问
                .antMatchers("/index.html").fullyAuthenticated() //指定通过url认证后才能访问的路径
                .anyRequest().authenticated()    //操作必须是已登录状态

                .and()
                .formLogin() //允许表单登录
                .loginPage("/login.html")//跳转自己定制的登录界面
                .loginProcessingUrl("/user/login") //点击登录后请求的提交地址
                .defaultSuccessUrl("/index.html") //登录成功后重定向到指定页面

                .and()
                .logout()
                .logoutUrl("/user/logout") //退出登录的请求路径
                .logoutSuccessUrl("/login.html")
                .permitAll()     //自定义登录页面权限放开

                .and()
                .csrf().disable()  //解除跨站请求伪造防护功能，
                .httpBasic()

                .and()
                .headers().frameOptions().sameOrigin(); // 设置允许嵌套页面上的iframe
        ;
    }
}
